Skip to main content

Why MSPs cannot ignore password vulnerability

(Image credit: Image source: Shutterstock/Ai825)

While businesses implement a number of complex IT security tools and processes to keep their data secure, hackers continue to exploit one of the most basic forms of protection: passwords. The threat of poor password management has increased significantly thanks to the mass move to remote working, and will continue to do so given that a large proportion of the working population want to spend much of their work week remotely.

Taking advantage of poor passwords remains a popular vehicle for cyberattacks because it takes very little effort for cybercriminals to target businesses through the exploitation of user credentials. Password security is often neglected, or not given the time of day compared to other elements of cybersecurity. But in 2019, 30 percent of ransomware infections were a result of poor password management.

Specialized tools that deliver password and privileged information management are now more critical than ever, especially for Managed Service Providers (MSPs). As users suffer from password fatigue and default to password recycling, threat actors are making it their mission to take advantage of this carelessness—and MSPs need to ensure their clients credentials do not get compromised.

So, what steps should MSPs take to improve password security, and ensure their clients do not end up victims of cyberattacks?

Password managers are key

As MSPs, we are on the front line and are responsible for keeping a host of client information safe, and password security is an important piece of this puzzle. We know that threat actors are constantly finding ways to innovate, so we must do the same and more to stay one step ahead of the game and ensure that client credentials are secure.

Compliance demands that passwords are changed regularly, and this is something that is easily implemented with a purpose-built solution. Our clients have the ability to achieve direct and immediate control and secure password management, without placing undue burden on our service desk—improving the experience for everyone involved.

Make passwords easy for users

IT teams have become a nagging parent, constantly reminding users that they must have strong, complex passwords to ensure their credentials are safe. And much like a rebellious child, users often disregard this information. That’s because many users find that continually creating and remembering complex passwords becomes tiresome, and fall back on simple, hackable passwords as a result. In fact, it was recently uncovered that 44 million Microsoft users were reusing passwords.

Although simple passwords can be easily remembered and recovered at the user level, they can just as easily be breached. A quick Google search can yield lists such as “500 worst passwords” or “10 most common passwords”. These lists are a gold mine for threat actors to gain access to privileged information.

This makes an automated process for password and documentation management more important than we give credit. Giving privileges to solutions for secure password and documentation management is one less burden for users.

Trust no one

While encouraging users to keep complex passwords in ‘normal’ circumstances is a feat within itself, password management is even more of an issue considering the majority of people now find themselves working from home. In the comfort of their homes, many users may not feel like they are at risk—but in fact, the risk of breach during this time is even higher. It only takes one device to be breached to compromise an entire organization. And in a volatile market, this could mean game over for many businesses that can’t afford to reclaim their data.

This calls for a zero-trust model, assuming all users pose a threat. We understand the importance of following the path of least resistance, and no matter how often people are reminded to use complex passwords, they are likely to fall back into bad habits. This is why we use a self-service password reset to deliver a more secure, automated, and positive experience.

Practice what you preach

MSPs are in a unique position, having access to credentials for hundreds, and potentially thousands of customer systems—this makes them a very attractive target for threat actors. We are increasingly seeing MSPs being targeted by cybercriminals in order to gain access to the data they hold. And while we would like to think that password breaches require a specialist skill, weak passwords make it all too easy for threat actors—and make MSPs vulnerable.

Looking after your own security as an MSP is just as important as looking after security for your clients—you have to practice what you preach. It can be a lot to manage, and MSPs need to find ways to make these tasks as pain free as possible. As a result, we’re constantly looking for new, innovative tools and applications to further automate processes, increase efficiency, and improve the end-user experience. Using a password tool that provides automation and security for our clients removes the risk of human error and provides protection on both ends.

Why MSPs cannot ignore password management

All MSPs know that effective password management is a complex and time-consuming task, but also understand how crucial it is for reducing risk. Let’s not forget that one of the largest breaches to ever occur was a result of a single Yahoo employee’s password being compromised.

Password breaching is one of the longest running forms of hacking simply because it is a low effort, high return form of cyber-attack. Which means MSPs must make password management as easy as possible for users, as well as for themselves. Password managers will remove some of the burden for users, and also ensure businesses credentials are safe. MSPs should also adopt a zero-trust model, as this ensures users and businesses can stay secure no matter the working environment—something that will be crucial as we become accustomed to the new normal of remote working.

Carl Henriksen, CEO, OryxAlign